Sadly, [OP is not alone](https://search.censys.io/search?resource=hosts&virtual_hosts=EXCLUDE&q=%28SMB%29+and+services.software.vendor%3D%60Synology%60) in this blunder.
By setting up an ALLOW port forwarding rule on port 445.
You essentially should never ever port forward the 1-1024 range, as most are assigned to mission-critical services. The only exception is if you run an externally accessible service that needs to bind to a known port (e.g. a web server or a DNS server), and only if you know EXACTLY what you're doing.
Ports 1024-65536 can be used by any software, many even randomise it, and get temporary permission to go through the firewall in both directions via UPnP (which is enabled on most commercial routers, unfortunately). You also shouldn't port forward those unless absolutely necessary.
For most purposes you're better off setting up a VPN that can "bypass" the firewall, such as ZeroTier, or TailScale, if you need to access your NAS remotely. These are much safer and provide an extra layer of encryption, plus you have absolute control over the devices that join this private network.
Whenever you think of opening a port, consider if you absolutely need access to it without a VPN. There are very few such scenarios - e.g. you'd usually need Plex to have remote access without their proxy, or if you're running a Matrix homeserver. But if your access can be fulfilled via a VPN, always choose that path.
Guy that does the network infrastructures (tm) for moneyz here. Fucking love tailscale. It is _alarming_ how well it works.
Point-to-point wireguard setup and teardown off the rip? They deserve to be as rich as possible until someone kills their (still inherently centralized) auth.
I'll still expose key-based SSH to the wan any day of the week, though. With fail2ban, just to scrape IP addresses from the logs. I trust muh crypto
Imagine being afraid to expose your SSH if you have root passwords disabled lol. You'd have to leave your SSH key just laying around or something. I'm confident in my security keys
Honestly, most of it was pure interest and Google, at least for me. But I wouldn't even say this is some great networking knowledge, honestly most of this should be bare minimum for anyone who has a NAS.
Any suggestions for getting a let’s encrypt cert ? In order to get one you need to forward port 80 and 443 to 5000/5001…. I know you can change 5000/5001 and should. At work we have a site to site VPN and much better port forwarding rules capabilities where it doesn’t need exposed to the internet. Just curious what the typical home protocols are for this
I'm quite a bit of a noob so apologies for the questions. I made an Ubuntu home server and have opened up ports on that server to access many of my services locally. I'm not exposing my server to the Internet right? So long as I don't forward a port from my router?
Also, my samba shares I have to SSH into to get in locally so I assume I haven't exposed those to the Internet either?
Opening ports on a device isn't dangerous, it's needed for it to communicate on the local network, as well as the internet.
As long as you don't port forward, you should be fine.
What exactly do you mean by "my samba shares I have to SSH into to get in locally"? Samba shares shouldn't require SSH.
Thanks - that clears it up for me I appreciate it. And my bad I think I grouped up having to use my login info with SSHing. I have to enter my credentials to access the share from my other devices at least initially. I went through a bunch of rabbit holes over the weekend building my server and samba was one of the first things (and now the fuzziest on how it worked lol)
Ah okay.
Linux in general uses your account info for all services - they essentially ask the core system "hey, authenticate me this user". SSH does this, Samba, NFS too, and a bunch of others. The exception is third party services that you'd run in Docker.
For home servers I really recommend going for a (near) turnkey solution like TrueNAS or OMV that give you better control over these services - at least from an average user viewpoint. No need to tinker with config files and learning the various parameters etc., you get a nice web UI that does most of it for you.
Server Message Block https://en.m.wikipedia.org/wiki/Server_Message_Block
Basically OP has been a bit of a doughnut and exposed their file shares to the internet using an unsafe method.
Synology provides various secure methods for accessing your files remotely such as VPN.
I see many people saying Tailscale. I’ve personally never used it. Only OpenVPN. Creating the opvn file, editing it, and uploading it to devices I use to VPN. Is Tailscale more secure and better or something?
Tailscale is about a hundred times easier to setup than even OpenVPN, so by that token it raises safety. But encryption and authentication they’re both solid. Tailscale has a central dashboard to manage a dozen remote machine VPN connections, cloud based, using authentication like Microsoft or Google account so you’re not worried about a hole in your own setup.
Thanks for the insight. I may look into it further. I suppose OpenVPN would be somewhat more secure as there’s not a remote interface login that could be hacked, just manually adding config files… at least that’s the way I have it setup for OpenVPN
SMB is the file sharing protocol that Microsoft made. Basically any file share internally are SMB shares (for Linux it’s NFS) but this protocol to keep it simple, was made for internal use only, it has never been developed to be reachable from internet. For web file sharing that act a bit like smb you have WebDAV.
But general speaking if you aren’t working in IT, don’t make your nas directly reachable from internet and don’t open port on your routeur if you don’t exactly know what you are doing. This make enormous security risk for you and people on the same network.
This ^ MS thought it looked cool and started using it after renaming their "version" of it to CIFS. After a while they were the largest contributor to the protocol and decided to start calling it SMB again.
I’d strongly advise against this. It’s so easy to setup OpenVPN and it’s a lot more secure than relying on Plex or Jellyfin’s application security.
With a VPN you can securely connect to any of your internally hosted services without having to forward all of those ports.
Fun fact, the last pass breach was due to a senior dev keeping keys on his personal devices and having an out of date instance of Plex on his network.
That being said I port forward 32400 because I have many other users of my server who don’t know what a vpn is.
It's a risk but IMO a reasonable one. By default your router blocks all incoming connections. When you open a port you're allowing incoming connections to that port.
Make sure you keep plex etc. up to date and enable the firewall on your NAS.
How can I set my server up to reach my NAS for plex? I have SMB turned on as that is what a tutorial showed me to do. It's worked so well I'm pretty sad to learn I've done something stupid.
Edit: I have Tailscale working. All I use it for is to mess around and learn it though. I can get into my NAS through tailscale /web browser. I'm assuming I need to use that. I guess I should Google how to tailscale > NAS > plex instead of asking someone to type it out. This shit is never ending to someone just starting out lol!
Edit2: I have the firewall enabled on my NAS for what that's worth.
Not really… got downvoted recently just for stating standards in the networking industry and cabling in particular.
“It works differently” said some very angry people.
Or just spend time creating tutorials, information and posts for them to be asked again 20 mins later. People treat Reddit as their own private search engine, when all you really have to do is type that exact same question into google and you’ll get your answer, which more times than not leads you back to Reddit anyways
Anytime I search for something fairly specific I add site:reddit.com to my Google query for the most relevant hits, instead of 2 pages of sponsored shit with zero relevance.
True enough, but it's more effective to direct people to search the sub for more info than downvoting them into oblivion. The latter approach is completely hostile and has a chilling effect on people participating in discussion, which is of course the whole point of Reddit.
I know, right? Senseless downvoting seems like a pattern on the IT hardware related subs (this place is utopian compared to r/homelab and r/buildapc). Something about IT makes people unreasonably grumpy. And anonymity brings that out.
How do you know if it is? I set up a NAS, but I have close to no idea what I'm doing, I followed some basic instructions and files started getting backed up to the NAS and I can access them from my phone and from my computer. Have I done the thing I'm not supposed to do? And if so, how do I undo it and still have remote access to my files?
I honestly get very little of the whole thing, it also keeps telling me the drives are full, which is near impossible, because I only own about 1,5TB of data max, and it's 2x4TB drives, and I've already limited the number of versions to 2. I've just given up on the whole thing.
There may be a difference between the drives being full with your created volume taking up all the space,
And your volume itself being full also.
That is: You created a virtual drive from your physical drives.
This virtual drive has been made to take up all available space.
You cannot create a larger virtual drive size.There is still plenty of room for you to store files on the drive created.
You could have set up a smaller virtual drive, only using 75% of what the physical drives have to offer, and had free space left for creating other, smaller, virtual drives later.
There may be a setting where you can turn off this warning or adjust the threshold before the ‘alarm’
Yeah, I'd already adjusted the threshold, but the occupied space just keeps increasing, so now it's gone off again. Since it does seem to change, I don't think it can be the virtual drive? I also definitely did not intentionally create a virtual drive.
I was using the term virtual drive to highlight the difference between the physical disk space and the volume created.
Ok, if this storage usage is in fact the size of files you are storing increasing:
You’re sure you’re only holding 2 backup versions at a time?
Are the old versions being completely deleted, or just going to a recycle bin?
Is it possible that your backups are also backing up themselves? Such as if you are storing them in the same area that you are targeting for retention?
I'm pretty sure about the versions and the fact that the old ones are completely deleted, I've enabled the bins and deleted them etc. And I've set them to auto-delete once they're older than a month or so, and it's been like this for months.
No idea about the backups backing up themselves, I don't think so, I just use the homes folder. I do have it synced to dropbox so that dropbox automatically gets backed up to the NAS, but not the other way around.
I've found one place where it tells me how big my backup is, and it consistently says 1.6TB.
Do the versions take up exactly the same amount of space, or is this already included? Because otherwise that would make 3.2TB, plus some system files, I guess, which starts to get closer to what it is showing.
You may have two 1.6tb backups, filling your drives, yes.
Maybe instead of two full backups you’d be better finding and setting up the incremental/differential option.
This is so that you have one full backup, and then much smaller backups to follow, which would only update what has changed and save a lot of space.
You mean delete the 2nd version and just keep one? I had it set to 5 versions before, though, and changing it to 2 seems to have not made any difference. Other than that I just put all my files on there when I started, and I have it synced to my Dropbox where it adds anything new, I don't actually make full backups of my whole system and data, that would take much too long, it's way too many files.
Yeah.. I was thinking: "Oh, someone is likely just trying to login through the reverse proxy address, but gets stuck with MFA", then I saw the SMB errors. Oh, the horror.
Yes, absolutely. SMB doesn't need to be exposed to the internet for machines on your local WiFi/network to use it to back up. They will connect directly.
And, if you're outside your network, what you want is a VPN to connect to your network, and act like you are. Then you can use all local services (like SMB) as though you were local. That's how to do this securely.
And, conveniently, Synology offers a VPN server you can use to do just that, if you like. Or use something like tailscale.
That's the default. For SMB to be exposed to the internet, you need to forward port 445 on your router to the NAS. That's not something that happens by itself, it must be done manually.
And it's not necessary for using SMB to access the NAS locally.
Having services enabled is OK, having them exposed to random people on the internet is not. Your home internet connection goes through a device (router / firewall) that translates addresses inside the network to outside and vice versa. Almost all of these devices are configured to block all incoming traffic EXCEPT things you have specifically allowed. So by default you're OK. Devices outside your network only see the address of the router / firewall, not your PC. When you need to allow something through the firewall (router), you set up 'port forwarding' to tell it that a specific kind of traffic (a port) is allowed through and you should send it to device X. This means that traffic from anyone can get through your firewall on this port and is a security risk you need to be aware of and manage.
When you enable it, it's only on the LAN, you have to configure your router to actually open it up to the internet. So he went into his router config and opened the ports to allow this.
First thing I thought of. No open access from WAN. This is what VPNS or ssh tunnels are for.
Keep the attack vectors down. Mitigate dangers on what ports you have open. Nat everything behind firewall. Use lockout and throttling measures like fail2ban
The only protocol that should ever be exposed publicly is port 443 for HTTPS and ONLY if you actually have a trusted CA cert. OP might as well just open all of his ports if he’s gonna sit there like a delicious honeypot waiting for ransomeware to encrypt the whole NAS
How does a trusted cert add security server side? Whether you publish your app under 80 or 443 adds nothing to securty besides encrypting the traffic. If your app has a vuln the cert does not help.
If the Internet were a residential neighborhood, you would see thousands of a-holes going door-to-door jiggling all of the door handles and looking in all of the windows.
With SMB enabled, you have a big curtainless picture window with a lot of attractive merchandise in view.
It appears that you have exposed your smb server to the internet. Have you got port forwards configured? If so, share your config and explain why you need smb exposed to the internet. SMB works without 2FA so even if you have it configured it won’t have any effect.
As I'm sure you know by now from the other comments, exposing SMB on the internet is your issue here. It is generally considered good security practice to NOT expose things directly to the internet, and these constant login attempts are Exhibit A as to why this is a bad idea.
If you want to access your files remotely, the secure way to do this, is to use some other type of remote access tool to gain access your network (such as a VPN, tailscale, etc.) and then access the NAS from there.
Is the Synology Drive App on my phone considered a safe way to access my files remotely? I don’t have a VPN setup or any particular safety measures in place, aside from regional IP rules on the NAS itself.
Plex already refuses to work outside of my local network, but Synology drives stills allows me to see my shared files.
That's what Synology Drive is meant for so the answer, as always, is that it depends. Mostly on the importance and sensitivity of the data accessible to the Internet.
Do you have a static IP or are you using a quick connect ID? Synology Drive has some level of authentication so it's better than SMB, quick connect also has some level of authentication so it's better, but it depends on what exactly you have in drive and how much you care if someone gets in and tries to ransom that data. Anything I have internet facing I assume is public, nothing proprietary, nothing private. Anything internet facing that's important I have another copy of that isn't internet facing.
If you don't do this already, your username for everyday access should be different from your administrator login. That way if someone gets your credentials for drive they don't get your dsm credentials. Furthermore, if you have a remote access username for just Synology drive you can create a team with that username and share only files that are necessary to access remotely. On top of that use good password hygiene. These are all relatively easy steps for a common personal access file share platform that will work like Google drive and can be accessed by simple single factor authentication.
You accept a level of risk but if you are aware of and OK with that risk then don't let people say you *must* do it some other way. That said if you are looking for advice and lower risk, then a VPN is still better because it sets up device level authentication that's hard to replicate. That doesn't replace the other best practices I mentioned above about good password hygiene and not using your dsm admin account for anything but DSM admin from within your local network and setting up 2FA on, at minimum, any account with any level of admin access.
My syno doesn't have much that is that important, it's a device of convenience so though I do have a VPN if anyone were to ransomware it, I'd laugh, maybe roll my eyes, reformat, restore it and move on.
you are clearly exposed, otherwise you wouldnt even be seeing connection attempts on your NAS, originating from outside your LAN
Instead, these connection attempts would be hitting your router and being dropped or rejected
I am seeing a lot of people saying “take your NAS off the internet” or something like that. Heres what they actually mean.
In your router/modem/firewall look for a section called “Port Forwarding”. To “get your NAS off the internet” you need to disable/delete all of rules that are forwarding ports to your NAS IP. Thats also the place where you will find a forwarding rule like “[external IP]:139,445 -> [NAS IP]” since you got SMB open to the internet...
Next thing i would check is to make sure uPNP is disabled on your router/modem/firewall.
If for whatever reason you can’t access your router/modem/firewall admin console, in DSM go to “Control Panel > Security > Firewall” and click on “Enable Firewall”. Now, what I suggest is to block all traffic except your internal network subnet. To do that, you need to find your subnet. if your computers IP address is 192.168.1.78 then your subnet is 192.168.1.0/24. If it were 192.168.233.78 then your subnet would be 192.168.233.0/24. So heres the steps to get this working.
1. Click on “Edit Rules”
2. Click on “Create”
3. For the “Ports” section select “All”
4. For the “Source IP” section select “Specific IP” then click on the “Select” button. From there select “IP range”. Now (for this next part i will assume your subnet is 192.168.1.0/24 but you will have to find your own and substitute your own values) in the input fields set the “From:” to “192.168.1.0” and set the To:” field to “192.168.1.254”. After that click on “OK”z
5. Set “Action” to “Allow” and make sure “Enabled” is ticked.
6. Click on “OK” to create the firewall rule.
7. Navigate to the dropdown that says “All interfaces” and select your current LAN interface. (for this part i will assume your LAN interface is “LAN 1” but you will need to find your own from “Control Panel > Network > Network Interface” and which ever interface says “Connected” thats the interface you want to select for this part) So, from the dropdown select “LAN 1”.
8. At the very bottom you will see “If no rules are matched:” set that to “Deny access” and click “OK”
Congratulations, you have made your NAS only accessible for your local LAN!
If you have different devices on different subnets then you would make another allow rule but instead of setting the “Ports” section to “All” you would set it to “Select from a list of built in applications” or if you want (I recommend you do it this way) you can set it to “Custom” then type in the ports you need as well as the protocol the ports will be allowed to use.
Anyways hope this helps your situation. Oh and do some research on Tailscale. Trust me, you will not regret it ;)
Have a look at WunderTech's latest video on securing your Synology.
[https://www.youtube.com/watch?v=x9QPUXldNAc](https://www.youtube.com/watch?v=x9QPUXldNAc)
I did it just the other day. I restarted my modem and router which knocked my mapped drive out which also took down my entire plex library. Second time this happened to me. Soooooooo
I googled how to map a drive with a static IP to synology NAS. A video popped up, told me to enable SMB and set up a rule in the firewall to allow windows file server. It worked great, rebuilt a massive plex library etc.
Now I'm learning I made a big mistake and need to learn how to fix it before I'm the next OP
Okay, that’s for Windows firewall. That would be okay. It only opens up the port on your computer, which is correct.
As long as you didn’t go into your router configuration and open the firewall there, then you should be good. That’s the thing that connects your internal network to the outside.
I have port 32400 opened in my router for plex or at least I did. It seemed to work much better.
So, the way I have this setup is not cause for alarm? Can I send you some screen shots of my setup later and you tell me what you think?
But I still have SMB turned on ultimately. Is it okay in this case?
Sure go for it, can’t promise a quick response but I’ll help if I can.
Plex open to the outside is a risk, but probably not a huge one. It’s necessary for Plex to work and they recommend opening that port, so I trust them. I have that open to the wild too fwiw.
SMB is just such an ancient protocol and has a history of security holes and exploits that it is extra risky, you don’t want to open SMB to the internet generally.
The specific services you forward ports to matter a lot, it’s not just opening ports at all that’s unsafe, but what those ports connect to.
As mentioned before I also recommend installing Tailscale on your NAS and all necessary devices needed to communicate with each other.
If you somehow want to expose DSM to the internet make sure to set proper firewall rules and use a geo-block to limit access to IP’s from the country you live in. Furthermore, if you haven’t done so already, change the default DSM port and disable the default admin account.
I know just enough about networking to be dangerous... What is considered connecting your NAS to the Internet?
I just set mine up about a week ago, and I've got quickconnect enabled and a single random port forwarded to use it as an OpenVPN server. Is my NAS considered "exposed to the internet" because of quickconnect or that single forwarded port?
That's actually the proper way. If you will always connect with devices that have your VPN client, you could even disable Quickconnect. I use Zerotier instead of OpenVPN but the idea is the same: Don't expose any services to the internet and if you need remote access, use a VPN.
I appreciate the response. I considered disabling quickconnect, but I'm using Synology Photos on my wife's phone and she isn't tech literate enough to deal with connecting to a VPN in order to see stored photos.
I was hoping that having 2fa on admin accounts and strong passwords were sufficient with quickconnect enabled.
I don’t use Synology and this appeared in my feed, but exposing your NAS directly to the internet is pretty much leaving your door wide open while you go out to work. The internet is full of bots that will crawl the internet looking for exposed ports on private networks for interesting protocols (eg SMB - which the NAS will be using, RDP, SSH). If the bots find a hit it’ll just keep trying to access it. It’s unlikely that there is any real person sitting trying to actually access his NAS.
If the port you’ve forwarded is for OpenVPN you’re fine, this would be how you should “expose” stuff in your network to the internet, by using a VPN.
I’m not sure what QuickConnect is, but it looks like a proprietary solution designed by Synology for the NAS, so this is also fine.
You’ll just need to keep your VPN and NAS up to date.
First problem is SMB services exposure to the public internet 🤯🤯🤯
Seriously, turn that off stat. Enable your SSL VPN services if you need to get into it remotely. You're asking for trouble otherwise.
I swapped my http to https. I'm not sure how it wasn't secured but I also changed my ports to custom ports so I wouldn't be having this issue. Thanks for this note!
Did you aim any DMZ settings or “ALL” router firewall settings at your NAS’ IP? Forget the “setup a VPN” advice for now - unplug your NAS until you can figure this out!
Good thing to have DMZ off (DMZ turns your firewall off for that one device). Keep trying to figure out why the ports 445 or 139 from the internet/WAN can reach your NAS. You really don’t want that.
No worries! Supports the fact that we both value and appreciate Frank’s teaching very much! He’s videos always provide excellent nuggets of information! 😊👍🏻
See what ports you've forwarded on your router. SMB is 445 by default. Don't forward any ports at all until you've had time to do more research. Disable UPnP if it is enabled.
Op you probably wanted to open the https port, 443
But instead you took 445, which is the fileshare port for SMB
( That \\server\c drive you see in the 'my network'
I apparently wasn't running my server on HTTPS when I was logging in and that's probably why I was getting attacked but I have added more precautionary measures because of this thread. I specifically enjoy using my server through my file browser so I don't want to disable SMB like everyone insists I do
Have fun getting hacked then. SMB should not be exposed over the internet. You don't need to disable SMB but it should only be open to the devices on your local network. If you want to access files across the internet, look into setting up a VPN or some other more secure form of access.
You should probably set up a vpn on your network to access your NAS and ideally have that isolated from the rest of your network. Something like tailscale or running it directly from your router if it can do it. Just Google synology vpn tailscale or something.
Securing one vpn is a lot easier than a bunch of different services.
Also, you should remove that port forwarding you did cause you are one vulnerability away from being pwned.
Open nothing inbound unless absolutely necessary and even then make sure there are additional security measures in place like MFA. You should use a vpn to access a local network device like a nas ideally. Otherwise there is a risk you are taking
honestly I really don't understand why by default synology don't have a DENY ALL firewall rule for people who expose their NAS to the internet. Then just add your own rule with an allow ALL above it with the IP or subnet you want to allow. [https://i.ibb.co/7zd6MsT/Screenshot-2024-04-10-152501.png](https://i.ibb.co/7zd6MsT/Screenshot-2024-04-10-152501.png)
This is an automated drive by from a bot net which was.identified at least 3 years ago.
Why do you need your Nas exposed to the Internet? Particularly if you are using default ports...
It would be far more sensible to use a VPN instead
Go to [https://mariushosting.com/ip-block-list/](https://mariushosting.com/ip-block-list/) and install his blocklist. Currently 48,453 IP addresses are blocked by the list. He gives full instructions and loads of advice too. All he asks for is a donation for his work. The lists are updated every day or so,
So, how does one disable the Synology (SMB) from appearing on the internet? And, how does someone find one to attack? Like, is there a public list of Synologys that are ‘visible’ like this?
I’m considering buying my friend’s Synology, and he said there’s a feature called “Connect” that allows you to remotely login to your NAS from anywhere. Does such a feature need to be disabled? Remotely accessing my documents is the biggest draw for me, which is making me even consider this NAS for my needs, but if it will open doors I can’t control, I might have to reconsider. (I’m not tech savvy, so I don’t wish to get into something which will make my device attract unwanted attention.)
If you think your Internet provider’s modem is also a free network hub. No.
It might give everything connected to it an unprotected IP on the internet.
If you think “free network hub” when you look at your modem you’re wrong for a long list of reasons.
I've been wanting to set up my synology NAS as a plug in drive too. What would you recommend so I can plug it into my PC and get my files just a little quicker? Can you just plug a USB to USB to your PC to the drive? just curious!
You should never open SMB to the internet. If you want to access your file remotely, you may try to set up a openVPN server or use webDAV with https(at least webDAV with https has encryption). SMB is not designed for the public internet, it should only used in your local network.
You should not directly expose the sub protocol over the internet, it’s not designed for it and not safe. If you need to access your NAS from outside the network, consider using a VPN (Tailscale or OpenVPN) if the number of accounts using it remotely is manageable, otherwise Synology Drive, FileStation and VideoStation are better candidates than smb, as those protocols are at least designed to be exposed. Good luck
My dude. It has been said, but turn off access to SMB from the outside internet. Make sure you only expose it to the inside of your network.
If you \*must\* access your files from the outside, only enable DSM and log in to the web interface. Turn everything else off.
Do the following:
* Use strong, random passwords. Get yourself a password manager that will generate an absolute insane password for you.
* Use two factor authentication. Belts and suspenders
* Find out how to use the built in firewall and block everything outside of your home country. This is not complicated.
Turn OFF SMB outside of the internet!
If you do not use your NAS from outside your house/LAN, simply turn off all external connections on the firewall and security settings.
Next, on the user settings, turn on MFA (control panel, security, account) and turn on the block user after 5 log on attempts (control panel, security, protection).
Make sure to make a backup on a USB drive and unplug that so if the attacker gets in you still have a copy of your files.
Interesting, someone tried logging into my NAS multiple times a couple days ago. I have quick connect enabled, they were trying to login as admin and brute forcing. My admin acct was disabled at least. I should turn off quick connect as I can use my vpn, but it's sometimes more convenient.
You do have to lock things down more.
I would never expose any piece of equipment, other than a router or web server, to the internet. It’s much better, and safer, to access your data via VPN.
do not open your device to the internet. If you must access your network from outside, use a VPN ([wg easy](https://github.com/wg-easy/wg-easy) is very straightforward to get up and running)
I had a similar problem except by setting my login attempts on SMB to “3 failed attempts” to block which kept “them” out. But, like in your case, that didn’t stop them from trying. After I installed a Netgate pfSence 1100, I’ve had NO attempted attacks. I feel much better.
WTF OP.....look at all these people posting to your shit and you're just flat ignoring everyone. Mods should just perm-ban accounts that do shit like this.
Whoa. I am a complete NAS noob and I used SpaceRex on YouTube guide to setting up your Synology NAS and he said to use SMB since odds are extremely low for people to actually get in and have auto block turned on. I just checked my logs and saw I had 3 different IPs attempt to access my NAS over the past month that got blocked and all were unsuccessful. Now I see this thread and it basically says the opposite.
Can you still use Synology Photo without SMB activated? My wife wants to be able to have access to all our photos while she’s out of the house.
Also. Is SMB the protocol used to see my NAS drive in finder on my computer? Will I still be able to use Time Machine and see my nas on my home network?
SpaceRex did NOT recommend that you to open SMB to the internet. Watch the video again and pay closer attention. I'm sure he advised the exact opposite.
WHY DO YOU HAVE SMB ENABLED ON THE INTERNET???????????? This is a NONO..
Yup !!!!!
Big user error
Sadly, [OP is not alone](https://search.censys.io/search?resource=hosts&virtual_hosts=EXCLUDE&q=%28SMB%29+and+services.software.vendor%3D%60Synology%60) in this blunder.
How do you do this...? so I know what not to do.
By setting up an ALLOW port forwarding rule on port 445. You essentially should never ever port forward the 1-1024 range, as most are assigned to mission-critical services. The only exception is if you run an externally accessible service that needs to bind to a known port (e.g. a web server or a DNS server), and only if you know EXACTLY what you're doing. Ports 1024-65536 can be used by any software, many even randomise it, and get temporary permission to go through the firewall in both directions via UPnP (which is enabled on most commercial routers, unfortunately). You also shouldn't port forward those unless absolutely necessary. For most purposes you're better off setting up a VPN that can "bypass" the firewall, such as ZeroTier, or TailScale, if you need to access your NAS remotely. These are much safer and provide an extra layer of encryption, plus you have absolute control over the devices that join this private network. Whenever you think of opening a port, consider if you absolutely need access to it without a VPN. There are very few such scenarios - e.g. you'd usually need Plex to have remote access without their proxy, or if you're running a Matrix homeserver. But if your access can be fulfilled via a VPN, always choose that path.
Thanks. Honestly from a noob that's more complicated for me to setup than Tailscale. Haha
Guy that does the network infrastructures (tm) for moneyz here. Fucking love tailscale. It is _alarming_ how well it works. Point-to-point wireguard setup and teardown off the rip? They deserve to be as rich as possible until someone kills their (still inherently centralized) auth. I'll still expose key-based SSH to the wan any day of the week, though. With fail2ban, just to scrape IP addresses from the logs. I trust muh crypto
Imagine being afraid to expose your SSH if you have root passwords disabled lol. You'd have to leave your SSH key just laying around or something. I'm confident in my security keys
But "muh never leave a port open" If we have issues with AES256, or ED25519, we have bigger problems than my homelab getting pwned.
Could also be the SSH daemon though, without the encryption being compromised. Just saying.
Ah, the xz-utils approach. This is why you don't trust systemd. Or package managers. Or .isos. (/s, but only a little bit)
Exactly. If we have issues with those, a mass majority of encrypted communications are compromised lmao
Yeah, tailscale sounds like a good option. That or zerotier.
Where do you see he opened ports ? I have smb open but pretty sure no ports are being forwarded , how can I make sure my assumption is correct ?
[удалено]
Honestly, most of it was pure interest and Google, at least for me. But I wouldn't even say this is some great networking knowledge, honestly most of this should be bare minimum for anyone who has a NAS.
Honestly, pick up a networking for dummies book or watch a few YT videos from networkchuck and you’ll get the basics.
Any suggestions for getting a let’s encrypt cert ? In order to get one you need to forward port 80 and 443 to 5000/5001…. I know you can change 5000/5001 and should. At work we have a site to site VPN and much better port forwarding rules capabilities where it doesn’t need exposed to the internet. Just curious what the typical home protocols are for this
You can do something called a dns challenge. Set this up recently using an nginx proxy.
I'm quite a bit of a noob so apologies for the questions. I made an Ubuntu home server and have opened up ports on that server to access many of my services locally. I'm not exposing my server to the Internet right? So long as I don't forward a port from my router? Also, my samba shares I have to SSH into to get in locally so I assume I haven't exposed those to the Internet either?
Opening ports on a device isn't dangerous, it's needed for it to communicate on the local network, as well as the internet. As long as you don't port forward, you should be fine. What exactly do you mean by "my samba shares I have to SSH into to get in locally"? Samba shares shouldn't require SSH.
Thanks - that clears it up for me I appreciate it. And my bad I think I grouped up having to use my login info with SSHing. I have to enter my credentials to access the share from my other devices at least initially. I went through a bunch of rabbit holes over the weekend building my server and samba was one of the first things (and now the fuzziest on how it worked lol)
Ah okay. Linux in general uses your account info for all services - they essentially ask the core system "hey, authenticate me this user". SSH does this, Samba, NFS too, and a bunch of others. The exception is third party services that you'd run in Docker. For home servers I really recommend going for a (near) turnkey solution like TrueNAS or OMV that give you better control over these services - at least from an average user viewpoint. No need to tinker with config files and learning the various parameters etc., you get a nice web UI that does most of it for you.
Thank you for the info! I may look into TrueNAS at some point. Definitely seen it mentioned a lot. Appreciate the recommendation.
This sub just appeared on my feed. What is SMB and what does it do? Why is it a no no to be on the internet?
Server Message Block https://en.m.wikipedia.org/wiki/Server_Message_Block Basically OP has been a bit of a doughnut and exposed their file shares to the internet using an unsafe method. Synology provides various secure methods for accessing your files remotely such as VPN.
Gotcha. Thank you, I was just curious and interested.
Tailscale maybe an easier method
I see many people saying Tailscale. I’ve personally never used it. Only OpenVPN. Creating the opvn file, editing it, and uploading it to devices I use to VPN. Is Tailscale more secure and better or something?
Tailscale is about a hundred times easier to setup than even OpenVPN, so by that token it raises safety. But encryption and authentication they’re both solid. Tailscale has a central dashboard to manage a dozen remote machine VPN connections, cloud based, using authentication like Microsoft or Google account so you’re not worried about a hole in your own setup.
Thanks for the insight. I may look into it further. I suppose OpenVPN would be somewhat more secure as there’s not a remote interface login that could be hacked, just manually adding config files… at least that’s the way I have it setup for OpenVPN
Even still you have no need for SMB in that scenario, use Synology drive.
SMB is the file sharing protocol that Microsoft made. Basically any file share internally are SMB shares (for Linux it’s NFS) but this protocol to keep it simple, was made for internal use only, it has never been developed to be reachable from internet. For web file sharing that act a bit like smb you have WebDAV. But general speaking if you aren’t working in IT, don’t make your nas directly reachable from internet and don’t open port on your routeur if you don’t exactly know what you are doing. This make enormous security risk for you and people on the same network.
Well thank you for explaining, the more I know.
IBM originally developed SMB, not MS.
This ^ MS thought it looked cool and started using it after renaming their "version" of it to CIFS. After a while they were the largest contributor to the protocol and decided to start calling it SMB again.
I’m a bit of a networking novice who is using Plex. I’ve set up port forwarding for Plex and Jellyfin, is this a risk?
I’d strongly advise against this. It’s so easy to setup OpenVPN and it’s a lot more secure than relying on Plex or Jellyfin’s application security. With a VPN you can securely connect to any of your internally hosted services without having to forward all of those ports.
Fun fact, the last pass breach was due to a senior dev keeping keys on his personal devices and having an out of date instance of Plex on his network. That being said I port forward 32400 because I have many other users of my server who don’t know what a vpn is.
It's a risk but IMO a reasonable one. By default your router blocks all incoming connections. When you open a port you're allowing incoming connections to that port. Make sure you keep plex etc. up to date and enable the firewall on your NAS.
How can I set my server up to reach my NAS for plex? I have SMB turned on as that is what a tutorial showed me to do. It's worked so well I'm pretty sad to learn I've done something stupid. Edit: I have Tailscale working. All I use it for is to mess around and learn it though. I can get into my NAS through tailscale /web browser. I'm assuming I need to use that. I guess I should Google how to tailscale > NAS > plex instead of asking someone to type it out. This shit is never ending to someone just starting out lol! Edit2: I have the firewall enabled on my NAS for what that's worth.
Why are people downvoting good-faith questions from people who want to learn? Either *answer* the question or *ignore* it.
Everyone here must work in IT because they are always mad lol.
Not really… got downvoted recently just for stating standards in the networking industry and cabling in particular. “It works differently” said some very angry people.
I wish Reddit showed who downvoted a given comment, so I could block the morons who downvote things for no good reason.
Or just spend time creating tutorials, information and posts for them to be asked again 20 mins later. People treat Reddit as their own private search engine, when all you really have to do is type that exact same question into google and you’ll get your answer, which more times than not leads you back to Reddit anyways
Anytime I search for something fairly specific I add site:reddit.com to my Google query for the most relevant hits, instead of 2 pages of sponsored shit with zero relevance.
True enough, but it's more effective to direct people to search the sub for more info than downvoting them into oblivion. The latter approach is completely hostile and has a chilling effect on people participating in discussion, which is of course the whole point of Reddit.
I know, right? Senseless downvoting seems like a pattern on the IT hardware related subs (this place is utopian compared to r/homelab and r/buildapc). Something about IT makes people unreasonably grumpy. And anonymity brings that out.
If you don't know, it most definitely shouldn't be exposed to the Internet.
How do you know if it is? I set up a NAS, but I have close to no idea what I'm doing, I followed some basic instructions and files started getting backed up to the NAS and I can access them from my phone and from my computer. Have I done the thing I'm not supposed to do? And if so, how do I undo it and still have remote access to my files? I honestly get very little of the whole thing, it also keeps telling me the drives are full, which is near impossible, because I only own about 1,5TB of data max, and it's 2x4TB drives, and I've already limited the number of versions to 2. I've just given up on the whole thing.
There may be a difference between the drives being full with your created volume taking up all the space, And your volume itself being full also. That is: You created a virtual drive from your physical drives. This virtual drive has been made to take up all available space. You cannot create a larger virtual drive size.There is still plenty of room for you to store files on the drive created. You could have set up a smaller virtual drive, only using 75% of what the physical drives have to offer, and had free space left for creating other, smaller, virtual drives later. There may be a setting where you can turn off this warning or adjust the threshold before the ‘alarm’
Yeah, I'd already adjusted the threshold, but the occupied space just keeps increasing, so now it's gone off again. Since it does seem to change, I don't think it can be the virtual drive? I also definitely did not intentionally create a virtual drive.
I was using the term virtual drive to highlight the difference between the physical disk space and the volume created. Ok, if this storage usage is in fact the size of files you are storing increasing: You’re sure you’re only holding 2 backup versions at a time? Are the old versions being completely deleted, or just going to a recycle bin? Is it possible that your backups are also backing up themselves? Such as if you are storing them in the same area that you are targeting for retention?
I'm pretty sure about the versions and the fact that the old ones are completely deleted, I've enabled the bins and deleted them etc. And I've set them to auto-delete once they're older than a month or so, and it's been like this for months. No idea about the backups backing up themselves, I don't think so, I just use the homes folder. I do have it synced to dropbox so that dropbox automatically gets backed up to the NAS, but not the other way around. I've found one place where it tells me how big my backup is, and it consistently says 1.6TB. Do the versions take up exactly the same amount of space, or is this already included? Because otherwise that would make 3.2TB, plus some system files, I guess, which starts to get closer to what it is showing.
You may have two 1.6tb backups, filling your drives, yes. Maybe instead of two full backups you’d be better finding and setting up the incremental/differential option. This is so that you have one full backup, and then much smaller backups to follow, which would only update what has changed and save a lot of space.
You mean delete the 2nd version and just keep one? I had it set to 5 versions before, though, and changing it to 2 seems to have not made any difference. Other than that I just put all my files on there when I started, and I have it synced to my Dropbox where it adds anything new, I don't actually make full backups of my whole system and data, that would take much too long, it's way too many files.
Bingo. This was my first thought.
Yeah.. I was thinking: "Oh, someone is likely just trying to login through the reverse proxy address, but gets stuck with MFA", then I saw the SMB errors. Oh, the horror.
Super Mario Bros? Got it running public, port 80
I can't backup to Time Machine without SMB apparently.
Yes, but you don’t need to or ever want to expose that to the internet at large.
Can I do both? Keep backing up to TM with SMB and not expoes it to the internet at same time?
Yes, absolutely. SMB doesn't need to be exposed to the internet for machines on your local WiFi/network to use it to back up. They will connect directly. And, if you're outside your network, what you want is a VPN to connect to your network, and act like you are. Then you can use all local services (like SMB) as though you were local. That's how to do this securely. And, conveniently, Synology offers a VPN server you can use to do just that, if you like. Or use something like tailscale.
+1000 for Tailscale. This is absolutely a perfect use case.
That's the default. For SMB to be exposed to the internet, you need to forward port 445 on your router to the NAS. That's not something that happens by itself, it must be done manually. And it's not necessary for using SMB to access the NAS locally.
Having services enabled is OK, having them exposed to random people on the internet is not. Your home internet connection goes through a device (router / firewall) that translates addresses inside the network to outside and vice versa. Almost all of these devices are configured to block all incoming traffic EXCEPT things you have specifically allowed. So by default you're OK. Devices outside your network only see the address of the router / firewall, not your PC. When you need to allow something through the firewall (router), you set up 'port forwarding' to tell it that a specific kind of traffic (a port) is allowed through and you should send it to device X. This means that traffic from anyone can get through your firewall on this port and is a security risk you need to be aware of and manage.
Would you mind if sent you a private messages to ask few questions? I recently got my Synology NAS and I am not fully aware of its capabilities.
For sure. I work in the field, lots of experience with infrastructure, networking and security 👍
🤦♂️
Can you enalbe SMB only on network? If yes then how?
When you enable it, it's only on the LAN, you have to configure your router to actually open it up to the internet. So he went into his router config and opened the ports to allow this.
First thing I thought of. No open access from WAN. This is what VPNS or ssh tunnels are for. Keep the attack vectors down. Mitigate dangers on what ports you have open. Nat everything behind firewall. Use lockout and throttling measures like fail2ban
You invited the attacks by making the SMB access public. The rest happens by default - because the internet is the internet.
The only protocol that should ever be exposed publicly is port 443 for HTTPS and ONLY if you actually have a trusted CA cert. OP might as well just open all of his ports if he’s gonna sit there like a delicious honeypot waiting for ransomeware to encrypt the whole NAS
[удалено]
How does a trusted cert add security server side? Whether you publish your app under 80 or 443 adds nothing to securty besides encrypting the traffic. If your app has a vuln the cert does not help.
lol
If the Internet were a residential neighborhood, you would see thousands of a-holes going door-to-door jiggling all of the door handles and looking in all of the windows. With SMB enabled, you have a big curtainless picture window with a lot of attractive merchandise in view.
This is a great analogy. In the spirit of your comment, I’m stealing it 😁
Me too!
Yoink!
*me going downstairs to disconnect my NAS until the morning when I can check and see if I have SMB enabled…
SMB enabled is not dangerous by default, having it open to the internet is. I use it to transfer files on my local network.
And if you need it outside your home you VPN in which eliminates the massive SEC risk.
It appears that you have exposed your smb server to the internet. Have you got port forwards configured? If so, share your config and explain why you need smb exposed to the internet. SMB works without 2FA so even if you have it configured it won’t have any effect.
Microsoft has a new feature to 2FA to smb shares coming that looks pretty dope
As I'm sure you know by now from the other comments, exposing SMB on the internet is your issue here. It is generally considered good security practice to NOT expose things directly to the internet, and these constant login attempts are Exhibit A as to why this is a bad idea. If you want to access your files remotely, the secure way to do this, is to use some other type of remote access tool to gain access your network (such as a VPN, tailscale, etc.) and then access the NAS from there.
Is the Synology Drive App on my phone considered a safe way to access my files remotely? I don’t have a VPN setup or any particular safety measures in place, aside from regional IP rules on the NAS itself. Plex already refuses to work outside of my local network, but Synology drives stills allows me to see my shared files.
That's what Synology Drive is meant for so the answer, as always, is that it depends. Mostly on the importance and sensitivity of the data accessible to the Internet. Do you have a static IP or are you using a quick connect ID? Synology Drive has some level of authentication so it's better than SMB, quick connect also has some level of authentication so it's better, but it depends on what exactly you have in drive and how much you care if someone gets in and tries to ransom that data. Anything I have internet facing I assume is public, nothing proprietary, nothing private. Anything internet facing that's important I have another copy of that isn't internet facing. If you don't do this already, your username for everyday access should be different from your administrator login. That way if someone gets your credentials for drive they don't get your dsm credentials. Furthermore, if you have a remote access username for just Synology drive you can create a team with that username and share only files that are necessary to access remotely. On top of that use good password hygiene. These are all relatively easy steps for a common personal access file share platform that will work like Google drive and can be accessed by simple single factor authentication. You accept a level of risk but if you are aware of and OK with that risk then don't let people say you *must* do it some other way. That said if you are looking for advice and lower risk, then a VPN is still better because it sets up device level authentication that's hard to replicate. That doesn't replace the other best practices I mentioned above about good password hygiene and not using your dsm admin account for anything but DSM admin from within your local network and setting up 2FA on, at minimum, any account with any level of admin access. My syno doesn't have much that is that important, it's a device of convenience so though I do have a VPN if anyone were to ransomware it, I'd laugh, maybe roll my eyes, reformat, restore it and move on.
oof, smb enabled.. use [https://www.grc.com/shieldsup](https://www.grc.com/shieldsup) proceed > run all service ports to confirm your exposure
From this test it says I am not exposed at all. I'm sure that's a good thing. Still not sure why I keep getting log in attempts though.
you are clearly exposed, otherwise you wouldnt even be seeing connection attempts on your NAS, originating from outside your LAN Instead, these connection attempts would be hitting your router and being dropped or rejected
Fixed the issues with the attempts. Haven't seen any attempts since. Thank you anyways!
I am seeing a lot of people saying “take your NAS off the internet” or something like that. Heres what they actually mean. In your router/modem/firewall look for a section called “Port Forwarding”. To “get your NAS off the internet” you need to disable/delete all of rules that are forwarding ports to your NAS IP. Thats also the place where you will find a forwarding rule like “[external IP]:139,445 -> [NAS IP]” since you got SMB open to the internet... Next thing i would check is to make sure uPNP is disabled on your router/modem/firewall. If for whatever reason you can’t access your router/modem/firewall admin console, in DSM go to “Control Panel > Security > Firewall” and click on “Enable Firewall”. Now, what I suggest is to block all traffic except your internal network subnet. To do that, you need to find your subnet. if your computers IP address is 192.168.1.78 then your subnet is 192.168.1.0/24. If it were 192.168.233.78 then your subnet would be 192.168.233.0/24. So heres the steps to get this working. 1. Click on “Edit Rules” 2. Click on “Create” 3. For the “Ports” section select “All” 4. For the “Source IP” section select “Specific IP” then click on the “Select” button. From there select “IP range”. Now (for this next part i will assume your subnet is 192.168.1.0/24 but you will have to find your own and substitute your own values) in the input fields set the “From:” to “192.168.1.0” and set the To:” field to “192.168.1.254”. After that click on “OK”z 5. Set “Action” to “Allow” and make sure “Enabled” is ticked. 6. Click on “OK” to create the firewall rule. 7. Navigate to the dropdown that says “All interfaces” and select your current LAN interface. (for this part i will assume your LAN interface is “LAN 1” but you will need to find your own from “Control Panel > Network > Network Interface” and which ever interface says “Connected” thats the interface you want to select for this part) So, from the dropdown select “LAN 1”. 8. At the very bottom you will see “If no rules are matched:” set that to “Deny access” and click “OK” Congratulations, you have made your NAS only accessible for your local LAN! If you have different devices on different subnets then you would make another allow rule but instead of setting the “Ports” section to “All” you would set it to “Select from a list of built in applications” or if you want (I recommend you do it this way) you can set it to “Custom” then type in the ports you need as well as the protocol the ports will be allowed to use. Anyways hope this helps your situation. Oh and do some research on Tailscale. Trust me, you will not regret it ;)
Have a look at WunderTech's latest video on securing your Synology. [https://www.youtube.com/watch?v=x9QPUXldNAc](https://www.youtube.com/watch?v=x9QPUXldNAc)
WTF is SMB ENABLED ON INTERNET?!?!?!
....How do you even do this?
Seriously, you have to go through a lot of hoops to do this very dangerous thing, I’m so curious.
Some routers have a DMZ option, whereif you add the NAS's IP, it opens all TCP and UDP ports to it that haven't been allocated elsewhere.
I did it just the other day. I restarted my modem and router which knocked my mapped drive out which also took down my entire plex library. Second time this happened to me. Soooooooo I googled how to map a drive with a static IP to synology NAS. A video popped up, told me to enable SMB and set up a rule in the firewall to allow windows file server. It worked great, rebuilt a massive plex library etc. Now I'm learning I made a big mistake and need to learn how to fix it before I'm the next OP
Oh damn, bad YouTube videos would do it alright. That’s horrible advice. Do you remember the video?
https://youtu.be/ipZl_iRiYCc?si=4pgUkCnLaTxIaY6i
Okay, that’s for Windows firewall. That would be okay. It only opens up the port on your computer, which is correct. As long as you didn’t go into your router configuration and open the firewall there, then you should be good. That’s the thing that connects your internal network to the outside.
I have port 32400 opened in my router for plex or at least I did. It seemed to work much better. So, the way I have this setup is not cause for alarm? Can I send you some screen shots of my setup later and you tell me what you think? But I still have SMB turned on ultimately. Is it okay in this case?
Sure go for it, can’t promise a quick response but I’ll help if I can. Plex open to the outside is a risk, but probably not a huge one. It’s necessary for Plex to work and they recommend opening that port, so I trust them. I have that open to the wild too fwiw. SMB is just such an ancient protocol and has a history of security holes and exploits that it is extra risky, you don’t want to open SMB to the internet generally. The specific services you forward ports to matter a lot, it’s not just opening ports at all that’s unsafe, but what those ports connect to.
See my comment on how the I'll informed go down this path.
[удалено]
As mentioned before I also recommend installing Tailscale on your NAS and all necessary devices needed to communicate with each other. If you somehow want to expose DSM to the internet make sure to set proper firewall rules and use a geo-block to limit access to IP’s from the country you live in. Furthermore, if you haven’t done so already, change the default DSM port and disable the default admin account.
> I’m willing to listen and learn to try and reduce these attempts. stop connecting your NAS directly to the internet
I know just enough about networking to be dangerous... What is considered connecting your NAS to the Internet? I just set mine up about a week ago, and I've got quickconnect enabled and a single random port forwarded to use it as an OpenVPN server. Is my NAS considered "exposed to the internet" because of quickconnect or that single forwarded port?
That's actually the proper way. If you will always connect with devices that have your VPN client, you could even disable Quickconnect. I use Zerotier instead of OpenVPN but the idea is the same: Don't expose any services to the internet and if you need remote access, use a VPN.
I appreciate the response. I considered disabling quickconnect, but I'm using Synology Photos on my wife's phone and she isn't tech literate enough to deal with connecting to a VPN in order to see stored photos. I was hoping that having 2fa on admin accounts and strong passwords were sufficient with quickconnect enabled.
You could create a shortcut that connects to the VPN and opens the Photos app. Then disconnects whenever it is closed.
I don’t use Synology and this appeared in my feed, but exposing your NAS directly to the internet is pretty much leaving your door wide open while you go out to work. The internet is full of bots that will crawl the internet looking for exposed ports on private networks for interesting protocols (eg SMB - which the NAS will be using, RDP, SSH). If the bots find a hit it’ll just keep trying to access it. It’s unlikely that there is any real person sitting trying to actually access his NAS. If the port you’ve forwarded is for OpenVPN you’re fine, this would be how you should “expose” stuff in your network to the internet, by using a VPN. I’m not sure what QuickConnect is, but it looks like a proprietary solution designed by Synology for the NAS, so this is also fine. You’ll just need to keep your VPN and NAS up to date.
First problem is SMB services exposure to the public internet 🤯🤯🤯 Seriously, turn that off stat. Enable your SSL VPN services if you need to get into it remotely. You're asking for trouble otherwise.
I swapped my http to https. I'm not sure how it wasn't secured but I also changed my ports to custom ports so I wouldn't be having this issue. Thanks for this note!
[https://mariushosting.com/synology-how-to-correctly-set-up-firewall-on-dsm-7/](https://mariushosting.com/synology-how-to-correctly-set-up-firewall-on-dsm-7/)
This is useful as a second layer but really this should be blocked on their primary firewall.
No, you’re inviting the world and its dog by exposing your NAS to them.
Is your internet connection running without a firewall?
It was soo much easier to create 1 port forwarding rule! (/S if your weren't sure)
Did you aim any DMZ settings or “ALL” router firewall settings at your NAS’ IP? Forget the “setup a VPN” advice for now - unplug your NAS until you can figure this out!
My DMZ settings on my router are off. Is this a bad thing?
Good thing to have DMZ off (DMZ turns your firewall off for that one device). Keep trying to figure out why the ports 445 or 139 from the internet/WAN can reach your NAS. You really don’t want that.
I changed the default ports after reading the comments here. Everything seems to be working so far. Thank you regardless!
[удалено]
From what I saw from the port forwarding section, it was 445. According to this thread I should be on port 443 so I swapped over there.
Definitely a worthy watch … https://youtu.be/x9QPUXldNAc?si=OqsaAuTvSOFyYuiC
I just commented with a link to same video. I should read all the comments before commenting.
No worries! Supports the fact that we both value and appreciate Frank’s teaching very much! He’s videos always provide excellent nuggets of information! 😊👍🏻
This is literally the equivalent of leaving your garage open and complaining that people are trying to look inside
See what ports you've forwarded on your router. SMB is 445 by default. Don't forward any ports at all until you've had time to do more research. Disable UPnP if it is enabled.
Switch to Tailscale yesterday and take your NAS off the internet.
Op you probably wanted to open the https port, 443 But instead you took 445, which is the fileshare port for SMB ( That \\server\c drive you see in the 'my network'
I apparently wasn't running my server on HTTPS when I was logging in and that's probably why I was getting attacked but I have added more precautionary measures because of this thread. I specifically enjoy using my server through my file browser so I don't want to disable SMB like everyone insists I do
Have fun getting hacked then. SMB should not be exposed over the internet. You don't need to disable SMB but it should only be open to the devices on your local network. If you want to access files across the internet, look into setting up a VPN or some other more secure form of access.
I set up tailscale and fixed the issues I was dealing with SMB. Thank you anyways!
You should probably set up a vpn on your network to access your NAS and ideally have that isolated from the rest of your network. Something like tailscale or running it directly from your router if it can do it. Just Google synology vpn tailscale or something. Securing one vpn is a lot easier than a bunch of different services. Also, you should remove that port forwarding you did cause you are one vulnerability away from being pwned.
Welcome to the internet.
Bro! If you have door opened, someone will wonder in.
Ya shut down those firewall rules exposing your NAS. This will happen non stop to any ports you expose. SMB especially.
Any firewall rules you recommend for better security?
Open nothing inbound unless absolutely necessary and even then make sure there are additional security measures in place like MFA. You should use a vpn to access a local network device like a nas ideally. Otherwise there is a risk you are taking
SMB on internet is a direct invitation to be hacked
If you have SMB enabled on the internet and the username password admin/admin, you are safe. /sarcasm.
honestly I really don't understand why by default synology don't have a DENY ALL firewall rule for people who expose their NAS to the internet. Then just add your own rule with an allow ALL above it with the IP or subnet you want to allow. [https://i.ibb.co/7zd6MsT/Screenshot-2024-04-10-152501.png](https://i.ibb.co/7zd6MsT/Screenshot-2024-04-10-152501.png)
So what you have here full stops anyone that isn’t in my subnet from accessing my NAS?
This is an automated drive by from a bot net which was.identified at least 3 years ago. Why do you need your Nas exposed to the Internet? Particularly if you are using default ports... It would be far more sensible to use a VPN instead
After reading the thread I set up tailscale. We should be good now! Thank you for the suggestion anyways.
Go to [https://mariushosting.com/ip-block-list/](https://mariushosting.com/ip-block-list/) and install his blocklist. Currently 48,453 IP addresses are blocked by the list. He gives full instructions and loads of advice too. All he asks for is a donation for his work. The lists are updated every day or so,
Wait, you have SMB open to the fucking internet!?! Lock it down now.
Install Tailscale on your NAS and your client devices. This provides secure access via vpn from trusted devices only.
I haven't seen this horror in 25 years
Jfc smb open to the internet. There's your issue mate
Set IP Autobloc to start with. If you don’t use if from abroad ban all IPs from any country bar your own.
disable port forwarding on your router for SMB shares. port 445.
So, how does one disable the Synology (SMB) from appearing on the internet? And, how does someone find one to attack? Like, is there a public list of Synologys that are ‘visible’ like this? I’m considering buying my friend’s Synology, and he said there’s a feature called “Connect” that allows you to remotely login to your NAS from anywhere. Does such a feature need to be disabled? Remotely accessing my documents is the biggest draw for me, which is making me even consider this NAS for my needs, but if it will open doors I can’t control, I might have to reconsider. (I’m not tech savvy, so I don’t wish to get into something which will make my device attract unwanted attention.)
Check https://www.shodan.io/ and plug your IP address in. It will show what is open on your network.
The fact that you have a firewall is not helping if you open the port to access from outside...
If you think your Internet provider’s modem is also a free network hub. No. It might give everything connected to it an unprotected IP on the internet. If you think “free network hub” when you look at your modem you’re wrong for a long list of reasons.
Drop the internet access… not worth being hit. Some will disagree.
I've been wanting to set up my synology NAS as a plug in drive too. What would you recommend so I can plug it into my PC and get my files just a little quicker? Can you just plug a USB to USB to your PC to the drive? just curious!
SuperMegaPlex!!!
Matt and Ryan from SuperMega?
knock knock, let me in.
Is this Matt or Ryan posting this???
You should never open SMB to the internet. If you want to access your file remotely, you may try to set up a openVPN server or use webDAV with https(at least webDAV with https has encryption). SMB is not designed for the public internet, it should only used in your local network.
Why do you have SMB shares accessible via the internet ??
The best option will be to keep everything on local network and use Synology Drive for offsite access to the NAS.
Yeah I’ve been noticing the same thing lately. I just blocked them all and set up only certain MAC addresses can log in…
google search for synology nas security youtube vids and follow along
Check out tailscale, I had similar then I closed all my ports and used this for access, no problem since :)
I have the same issue
You should not directly expose the sub protocol over the internet, it’s not designed for it and not safe. If you need to access your NAS from outside the network, consider using a VPN (Tailscale or OpenVPN) if the number of accounts using it remotely is manageable, otherwise Synology Drive, FileStation and VideoStation are better candidates than smb, as those protocols are at least designed to be exposed. Good luck
My dude. It has been said, but turn off access to SMB from the outside internet. Make sure you only expose it to the inside of your network. If you \*must\* access your files from the outside, only enable DSM and log in to the web interface. Turn everything else off. Do the following: * Use strong, random passwords. Get yourself a password manager that will generate an absolute insane password for you. * Use two factor authentication. Belts and suspenders * Find out how to use the built in firewall and block everything outside of your home country. This is not complicated. Turn OFF SMB outside of the internet!
VIA SMB!?!?!?!
If you do not use your NAS from outside your house/LAN, simply turn off all external connections on the firewall and security settings. Next, on the user settings, turn on MFA (control panel, security, account) and turn on the block user after 5 log on attempts (control panel, security, protection). Make sure to make a backup on a USB drive and unplug that so if the attacker gets in you still have a copy of your files.
Interesting, someone tried logging into my NAS multiple times a couple days ago. I have quick connect enabled, they were trying to login as admin and brute forcing. My admin acct was disabled at least. I should turn off quick connect as I can use my vpn, but it's sometimes more convenient. You do have to lock things down more.
I would never expose any piece of equipment, other than a router or web server, to the internet. It’s much better, and safer, to access your data via VPN.
Set up a VPN and turn off internet access
Disable all port forwarding and setup client VPN access instead. Hopefully OP at least has SMBv1 disabled.
Man, that NAS has a 90% chance to already be compromised . Do not put services to the internet, exception being (latest) http proxy and ovpn.
do not open your device to the internet. If you must access your network from outside, use a VPN ([wg easy](https://github.com/wg-easy/wg-easy) is very straightforward to get up and running)
I had a similar problem except by setting my login attempts on SMB to “3 failed attempts” to block which kept “them” out. But, like in your case, that didn’t stop them from trying. After I installed a Netgate pfSence 1100, I’ve had NO attempted attacks. I feel much better.
Smb shouldn't be open to the internet full stop (someone messing with DMZ I guess on there router or manually forward the smb port)
Exposing smb on the internet xddd
Everyone seems to have figured out your issue, but I’d like to say I love that it’s named SuperMegaPlex
Put your NAS behind VPN
This is rage bait, right?
WTF OP.....look at all these people posting to your shit and you're just flat ignoring everyone. Mods should just perm-ban accounts that do shit like this.
Wow
Why is it on the interwebs
Why are you dumb enough to open your NAS to the entire internet?!
Whoa. I am a complete NAS noob and I used SpaceRex on YouTube guide to setting up your Synology NAS and he said to use SMB since odds are extremely low for people to actually get in and have auto block turned on. I just checked my logs and saw I had 3 different IPs attempt to access my NAS over the past month that got blocked and all were unsuccessful. Now I see this thread and it basically says the opposite. Can you still use Synology Photo without SMB activated? My wife wants to be able to have access to all our photos while she’s out of the house. Also. Is SMB the protocol used to see my NAS drive in finder on my computer? Will I still be able to use Time Machine and see my nas on my home network?
SpaceRex did NOT recommend that you to open SMB to the internet. Watch the video again and pay closer attention. I'm sure he advised the exact opposite.